search

outflanknl / RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
BSD 3-Clause "New" or "Revised" License
2.35k stars 371 forks source link

Support for Empire C2 #203

Open Cx01N opened 2 years ago

Cx01N commented 2 years ago

Hubble and I are the developers for Empire and are interested in supporting the development of RedELK. We saw that you have some basic support for logs and are interested in helping expand support. Where could we be most helpful?

Hubbl3 commented 2 years ago

I'm in too!

MarcOverIP commented 2 years ago

Hi, I'm Marc and I am an idiot :) I typed in the wrong C2 name when I said there is basic support of Empire. I meant PoshC2.

That having said, if you are willing to help the following steps are the way to go: Start with basic support:

  1. Empire needs to generate sufficient logging of most important actions. How much is sufficient? Cobalt Strike is descent example on the amount of info. You can check here for the list of fields that RedELK understands for c2 logs. The more Empire supports, the better. Some of these fields can be considered too much for basic support, eg creds.*, c2.listener.* and screenshot.*
  2. On c2server side we need to make sure the logs of Empire are ingested by the RedELK component running on the c2 server. We do this by creating a filebeat config file with correct parameters. You can check ``here for a few examples.
  3. On the ELK server side the logs need to be parsed. We do this with Logstash. So we need to create logstash filter rules. This is were the field list of step 1 comes into play. See the Cobalt Strike one as example.

Full Support

  1. On c2 server side a cron job runs that copies some basic log files from the source C2 dir to a dedicated directory. This dedicated dir later gets synced back to RedELK server for easy viewing of the full log files straight from the Kibana interface. See example here.
  2. Same as previous step we might need extra scripts to gather other relevant data of your C2. This depends on the C2. Some examples here
  3. On the RedELK server side we want some scripts for Logstash to insert URL paths for the extra fun things like screenshots, keylog transcripts, credentials, etc. Some examples here
  4. Revisit the fields skipped in step 3 to make sure we get maximum value from the logs.

Now, this isn't too hard of you have some experience with the ELK stack. And the examples can be very valuable. So you might be able to produce this all yourself. Of course we're here for questions.

But the most important thing that I cannot influence is number 1 of the list above: the amount of logging that Empire emits. Could you perhaps give a few examples of logs that Empire emits?